Date: Fri, 27 May 2016 14:34:23 +0200
From: Marek Hulán <mhulan@...hat.com>
To: oss-security@...ts.openwall.com
Subject: CVE-2016-4451: Privileges escalation through Organization and Locations Foreman API
CVE-2016-4451: Privilege escalation through Organization and Locations API
When accessing Foreman as a user limited to specific organization, if users
know other organization id and have unlimited filters they can access/modify
other organization data. They just have to set the id as API parameter.
Mitigation: make sure you have filters restricted to organizations or locations
when you limit user by assigning him particular organization or location.
Affects Foreman 1.7 and higher
Patch available at https://github.com/theforeman/foreman/pull/3553
Fix released in Foreman 1.11.3 (to be released)
For more information please see Redmine issue
http://projects.theforeman.org/issues/15182
--
Marek